Hybrid Cloud
Cyber Security & NaaS
AI & Data
IoT & Connectivity
Business Applications
Intelligent Workplace
Consulting & Professional Services
Small Medium Enterprise
Health and Social Care
Industry
Retail
Tourism and Leisure
Transport & Logistics
Energy & Utilities
Banking and Finance
Smart Cities
Public Sector
Personal data leaks: risks and self-protection measures for citizens
In recent years, there has been a notable increase in reported security incidents involving personal data leaks, where users' personal data has been exposed or compromised due to security breaches affecting companies or organisations. These incidents not only impact the entities responsible for data processing, but can also have a direct effect on the individuals whose data is involved.
Recently, several security incidents have made headlines, in which companies across different industries and sizes have reported unauthorised and unlawful access to their customers' data. As a result, the confidentiality of customer personal data held by these companies has been compromised—ranging from basic identification details to payment-related information.
But what is a data leak and what risks does it pose?
A data leak occurs when personal or confidential data is accessed, copied or extracted by unauthorised third parties as a result of a security incident. These situations typically stem from a security breach caused by a cyberattack, human error or misconfiguration of security systems, ultimately leading to exposure or exfiltration of information.
From a regulatory standpoint, these incidents are governed by the General Data Protection Regulation (GDPR). Under this framework, companies and organisations that experience a personal data breach are required to notify the incident to the Spanish Data Protection Agency (AEPD), unless the breach is unlikely to pose a risk to individuals' rights and freedoms. However, in cases where there is a high risk to those rights and freedoms, the data controller must also inform the affected individuals.
As highlighted in several media reports, the types of data involved in a leak can vary widely:
- Personal data (full names, ID numbers)
- Contact information (phone numbers, email addresses or locations)
- Financial data (account numbers or IBANs)
- Passwords, contract-related data, service usage details or medical information, depending on the company’s operations and the nature of the exposed database
Exposure of this kind of information can lead to significant risks for affected individuals. These include identity theft to open bank accounts, sign up for phone lines, apply for loans, or carry out fraudulent actions in the victim’s name; unauthorised access to social media accounts or profiles; or targeted fraud attempts using leaked data to make the deception more credible.
These risks have already materialised in recent real-life cases, such as:
- Early last year, Spain’s National Police dismantled a criminal organisation that had defrauded more than €400,000 through fraudulent purchases on e-commerce platforms. The group illegally obtained the victims' banking data from databases leaked on the dark web.
- In another recent case, a scammer called a victim pretending to be a bank employee, warning them of a supposed fraud attempt on their account. To make the scam more convincing, the caller correctly provided the victim's personal details, such as their full name, account number and ID number—data that may have been sourced from previous data leaks.
Given the risks, what general protection measures can be applied?
The Spanish National Cybersecurity Institute (Incibe) offers a blog and several guides with information and training on cyber security for the general public. Among its resources are practical tips and steps to secure compromised accounts or simply improve their security. Some of the recommended measures include:
- Change all passwords, both for services that were compromised and for any other accounts where the same login credentials may have been used.
- Avoid weak passwords, as they are the easiest to crack. To reduce risk, use strong, unique passwords and password managers to handle different credentials across accounts.
- Enable additional security measures, such as two-factor authentication wherever it’s available.
- For email addresses, consider using alternative email accounts for signing up to services whenever possible. This helps avoid using your primary email—which likely contains more personal information—and reduces exposure to spam and potential leaks.
- In the case of banking data, if you suspect it may have been compromised, immediately notify your bank to assess the risk and follow their recommendations, which may include cancelling your bank card or reviewing suspicious activity. Additionally, whenever possible, use virtual cards for online purchases to enhance digital payment security.
- Lastly, try to find out which specific data has been compromised. As a precaution, it's safest to assume that any information shared with a breached company could be affected.
As a final recommendation, it’s good practice to regularly check for potential data leaks and periodically review your accounts. You can also run a basic online search using your full name or ID number to detect fake profiles, identity theft or suspicious activity. This practice is known as egosurfing, and its purpose is to monitor what personal information is easily accessible online.
There are also specific tools to check whether an email address has appeared in any known data breach, such as Have I Been Pwned or Google One’s dark web report, which will be available until 16 February.
Additionally, Incibe offers a citizen support service that provides free and confidential guidance through different communication channels, under the name Tu Ayuda en Ciberseguridad.
